Setting up Google Workspace for SAML-based Single Sign-On (SSO)
Who is this article for?
Administrators responsible for managing organization security settings in Mazlan Home (formerly known as Ideagen Hub).
Admin Console access is required.
You can set up Google Workspace as your corporate identity provider (IDP) in Mazlan Home using SAML, which is the preferred protocol since Google Workspace has limited OIDC SSO support.
To use an external identity provider like Google, you will need to ensure the Mazlan Home user's authentication type is set to External.
This article outlines how to configure a new SAML app in the Google Workspace Admin console and link it Mazlan Home.
Creating a SAML app
To create a SAML app in Google Workspace.
Go to Google Workspace.
Log in to the Admin console.
Expand Apps.
Select Web and mobile apps.
Click Add app.
Select Add custom SAML app.
Enter a name for your app.
Click Continue.
Click Download Metadata.
Keep the file in a secure place where you can easily access it, as you will need to upload it to Mazlan Home later to finish setting up the SSO configuration.
Configuring the SAML app
Identifier and Reply URL
Mazlan Home
Once you have created the SAML application in Google Workspace, you will need to configure the Identifier and Reply URL. To configure these, you will need to retrieve the Identifier and Reply URL from Mazlan Home.
To retrieve the URLs:
- Sign in to Mazlan Home.
- Navigate to the Admin Console.
- Go to the Security Center.
- Select Authentication.
- Select Eternal IDP Configuration.
- Click Add Identity Provider.
- Select SAML.
- Click Next.
You will see the Identifier (Entity ID) and Reply URL (Assertion Consumer Service URL). - Copy these values to be configured on your Google Workspace app.
Google Workspace
To paste the URLs:
- Go back to Google Workspace.
- Click Continue.
You will be taken to a Service provider details section. - Paste the values for Reply URL (ACS URL) and Entity ID copied from Mazlan Home.
Note
Entity ID represents an organization or a single Mazlan Home subdomain.
Start URL
Mazlan Home
In Mazlan Home, as part of the SAML configuration, you will have to decide whether to allow IdP-Initiated SAML sign-in.
To configure this:
- At the SAML Configuration, select Accept SP-initiated and IdP-initiated SAML assertions only to enable the IdP-initiated workflow, allowing launch of Mazlan Home from your IdP dashboard (if supported).
- Once you allow IdP-initiated SAML assertions, the SAML signing and encryption options will not be supported and will be hidden.
| SAML Configuration - Require SP-initiated SAML assertions | SAML Configuration - accept SP-initiated and IdP-initiated SAML assetions |
- Click Apply Configuration.
You will see the Relay State at the top section of the SAML Configuration. - Copy this value as you will need this to configure your Google Workspace app.
Google Workspace
Configuring attribute mapping
Email attribute
Whether your organisation uses Email as the login identifier, you will need to add the email attribute in Google Workspace and map the email attribute in Mazlan Home.
Google Workspace
To configure the attribute in Google Workspace:
Go to the application in Google Workspace.
Select Primary email under Google Directory attributes.
- Set the value to email.
- Copy this value.
Mazlan Home
To map the attribute:
- Scroll down to the Attribute mapping section.
- Paste the attribute name in the SAML attribute field next to the email User pool attribute.
Username
If your organisation uses Username as login identifier, you must configure an attribute for the preferred username in Google Workspace and map the email and preferred_username attributes in Mazlan Home.
Google Workspace
To configure the attribute in Google Workspace:
Go to the application in Google Workspace.
Click Add mapping.
- Create an attribute with a unique, unchanging value for each user.
For example, employee_id. - Copy this value.
Mazlan Home
To map the attribute:
- Scroll down to the Attribute mapping section.
-
Paste the claim name in the SAML attribute field next to the preferred_username User pool attribute.
Activating the app
When the SAML app is created in Google Workspace, it will be off for everyone by default.
To activate the app:
- Click the Arrow next to User access.
- Assign users by Groups or Organisation Units.
- Set Service status to ON.
- Click Override.